

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>与 OpenStack Keystone 对接 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/doctools.js"></script>
        <script src="../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="与 OpenStack Barbican 对接" href="../barbican/" />
    <link rel="prev" title="NFS" href="../nfs/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../">Ceph 对象网关</a></li>
      <li class="breadcrumb-item active">与 OpenStack Keystone 对接</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../_sources/radosgw/keystone.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../zone-features/">域的功能</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../account/">用户账户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../iam/">IAM API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">数据缓存和 CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">与 OpenStack Keystone 对接</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#ocata">Ocata （及后续版本）</a></li>
<li class="toctree-l3"><a class="reference internal" href="#project-tenant">跨 Project(Tenant) 访问</a></li>
<li class="toctree-l3"><a class="reference internal" href="#keystone-s3-api">Keystone 与 S3 API 对接</a></li>
<li class="toctree-l3"><a class="reference internal" href="#service-token-support">Service token support</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">与 KMIP 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
<li class="toctree-l2"><a class="reference internal" href="../metrics/">Metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../uadk-accel/">UADK Acceleration for Compression</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucket_logging/">桶的日志记录</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="openstack-keystone">
<h1>与 OpenStack Keystone 对接<a class="headerlink" href="#openstack-keystone" title="Permalink to this heading"></a></h1>
<p>Ceph 对象网关可以与 Keystone 对接，它是 OpenStack 的鉴权服务。这需要让网关把 Keystone 当作用户认证机构，经过 Keystone 授权、允许访问网关的用户， Ceph 对象网关内也会自动创建此用户（如果此前还没有）。 Keystone 认定有效的令牌，网关也会认为有效。</p>
<p>与 Keystone 对接相关的网关配置选项有：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">client</span><span class="o">.</span><span class="n">radosgw</span><span class="o">.</span><span class="n">gateway</span><span class="p">]</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">api</span> <span class="n">version</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">api</span> <span class="n">version</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">url</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">server</span> <span class="n">url</span><span class="p">:</span><span class="n">keystone</span> <span class="n">server</span> <span class="n">admin</span> <span class="n">port</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">token</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">admin</span> <span class="n">token</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">token</span> <span class="n">path</span> <span class="o">=</span> <span class="p">{</span><span class="n">path</span> <span class="n">to</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">token</span><span class="p">}</span> <span class="c1">#preferred</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">accepted</span> <span class="n">roles</span> <span class="o">=</span> <span class="p">{</span><span class="n">accepted</span> <span class="n">user</span> <span class="n">roles</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">token</span> <span class="n">cache</span> <span class="n">size</span> <span class="o">=</span> <span class="p">{</span><span class="n">number</span> <span class="n">of</span> <span class="n">tokens</span> <span class="n">to</span> <span class="n">cache</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">implicit</span> <span class="n">tenants</span> <span class="o">=</span> <span class="p">{</span><span class="n">true</span> <span class="k">for</span> <span class="n">private</span> <span class="n">tenant</span> <span class="k">for</span> <span class="n">each</span> <span class="n">new</span> <span class="n">user</span><span class="p">}</span>
</pre></div>
</div>
<p>也能配置 Keystone 服务的租户、用户名、密码（适用于 v2.0 版的
OpenStack Identity API ），与 OpenStack 服务的配置过程相似，这样可避免在配置文件中设置共享密钥 <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">admin</span> <span class="pre">token</span></code> ，因为这在生产环境下是不推进的配置方法。此处，服务的租户凭证应该有管理员权限，详情见 <a class="reference external" href="http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-projects-users-and-roles">Openstack Keystone 文档</a>，里面详细解释了机制。必需的配置选项有：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">user</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">service</span> <span class="n">tenant</span> <span class="n">user</span> <span class="n">name</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">password</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">service</span> <span class="n">tenant</span> <span class="n">user</span> <span class="n">password</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">password</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">service</span> <span class="n">tenant</span> <span class="n">user</span> <span class="n">password</span> <span class="n">path</span><span class="p">}</span> <span class="c1"># preferred</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">tenant</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">service</span> <span class="n">tenant</span> <span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<p>Ceph 对象网关的用户被映射为 Keystone 的 <code class="docutils literal notranslate"><span class="pre">tenant</span></code> 。 Keystone
用户具有不同的角色，角色可能对应着不止一个租户。 Ceph 拿到票据后，它会检查其租户、以及给此票据分配的用户角色，然后根据配置的
<code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">accepted</span> <span class="pre">roles</span></code> 决定接受、或拒绝此请求。</p>
<p>对于 v3 版本的 Openstack Identity API ，需要把
<code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">admin</span> <span class="pre">tenant</span></code> 换成：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">domain</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">admin</span> <span class="n">domain</span> <span class="n">name</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">keystone</span> <span class="n">admin</span> <span class="n">project</span> <span class="o">=</span> <span class="p">{</span><span class="n">keystone</span> <span class="n">admin</span> <span class="n">project</span> <span class="n">name</span><span class="p">}</span>
</pre></div>
</div>
<p>For compatibility with previous versions of ceph, it is also
possible to set <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">implicit</span> <span class="pre">tenants</span></code> to either
<code class="docutils literal notranslate"><span class="pre">s3</span></code> or <code class="docutils literal notranslate"><span class="pre">swift</span></code>.  This has the effect of splitting
the identity space such that the indicated protocol will
only use implicit tenants, and the other protocol will
never use implicit tenants.  Some older versions of ceph
only supported implicit tenants with swift.</p>
<section id="ocata">
<h2>Ocata （及后续版本）<a class="headerlink" href="#ocata" title="Permalink to this heading"></a></h2>
<p>Keystone 自身作为对象存储服务的入口（ endpoint ），需要配置为指向 Ceph 对象网关。</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>openstack service create --name=swift \
                         --description=&quot;Swift Service&quot; \
                         object-store
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Swift Service                    |
| enabled     | True                             |
| id          | 37c4c0e79571404cb4644201a4a6e5ee |
| name        | swift                            |
| type        | object-store                     |
+-------------+----------------------------------+

openstack endpoint create --region RegionOne \
     --publicurl   &quot;http://radosgw.example.com:8080/swift/v1&quot; \
     --adminurl    &quot;http://radosgw.example.com:8080/swift/v1&quot; \
     --internalurl &quot;http://radosgw.example.com:8080/swift/v1&quot; \
     swift
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| adminurl     | http://radosgw.example.com:8080/swift/v1 |
| id           | e4249d2b60e44743a67b5e5b38c18dd3         |
| internalurl  | http://radosgw.example.com:8080/swift/v1 |
| publicurl    | http://radosgw.example.com:8080/swift/v1 |
| region       | RegionOne                                |
| service_id   | 37c4c0e79571404cb4644201a4a6e5ee         |
| service_name | swift                                    |
| service_type | object-store                             |
+--------------+------------------------------------------+

$ openstack endpoint show object-store
+--------------+------------------------------------------+
| Field        | Value                                    |
+--------------+------------------------------------------+
| adminurl     | http://radosgw.example.com:8080/swift/v1 |
| enabled      | True                                     |
| id           | e4249d2b60e44743a67b5e5b38c18dd3         |
| internalurl  | http://radosgw.example.com:8080/swift/v1 |
| publicurl    | http://radosgw.example.com:8080/swift/v1 |
| region       | RegionOne                                |
| service_id   | 37c4c0e79571404cb4644201a4a6e5ee         |
| service_name | swift                                    |
| service_type | object-store                             |
+--------------+------------------------------------------+
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If your radosgw <code class="docutils literal notranslate"><span class="pre">ceph.conf</span></code> sets the configuration option
<code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">swift</span> <span class="pre">account</span> <span class="pre">in</span> <span class="pre">url</span> <span class="pre">=</span> <span class="pre">true</span></code>, your <code class="docutils literal notranslate"><span class="pre">object-store</span></code>
endpoint URLs must be set to include the suffix
<code class="docutils literal notranslate"><span class="pre">/v1/AUTH_%(tenant_id)s</span></code> (instead of just <code class="docutils literal notranslate"><span class="pre">/v1</span></code>).</p>
</div>
<p>The Keystone URL is the Keystone admin RESTful API URL. The admin token is the
token that is configured internally in Keystone for admin requests.</p>
<p>OpenStack 的 Keystone 组件也可以用自签名的 SSL 证书来终结，要使 radosgw 有能力与这样的 Keystone 交互，你可以在运行
radosgw 的节点上安装 Keystone 的 SSL 证书；另外， radosgw
也可以配置为根本不校验 SSL 证书（类似加了 <code class="docutils literal notranslate"><span class="pre">--insecure</span></code>
开关的 Openstack 客户端请求），即把
<code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">verify</span> <span class="pre">ssl</span></code> 配置为 <code class="docutils literal notranslate"><span class="pre">false</span></code> 。</p>
</section>
<section id="project-tenant">
<h2>跨 Project(Tenant) 访问<a class="headerlink" href="#project-tenant" title="Permalink to this heading"></a></h2>
<p>In order to let a project (earlier called a ‘tenant’) access buckets belonging to a different project, the following config option needs to be enabled:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">rgw</span> <span class="n">swift</span> <span class="n">account</span> <span class="ow">in</span> <span class="n">url</span> <span class="o">=</span> <span class="n">true</span>
</pre></div>
</div>
<p>The Keystone object-store endpoint must accordingly be configured to include the AUTH_%(project_id)s suffix:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span> openstack endpoint create --region RegionOne \
     --publicurl   &quot;http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s&quot; \
     --adminurl    &quot;http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s&quot; \
     --internalurl &quot;http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s&quot; \
     swift
+--------------+--------------------------------------------------------------+
| Field        | Value                                                        |
+--------------+--------------------------------------------------------------+
| adminurl     | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
| id           | e4249d2b60e44743a67b5e5b38c18dd3                             |
| internalurl  | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
| publicurl    | http://radosgw.example.com:8080/swift/v1/AUTH_$(project_id)s |
| region       | RegionOne                                                    |
| service_id   | 37c4c0e79571404cb4644201a4a6e5ee                             |
| service_name | swift                                                        |
| service_type | object-store                                                 |
+--------------+--------------------------------------------------------------+
</pre></div>
</div>
</section>
<section id="keystone-s3-api">
<h2>Keystone 与 S3 API 对接<a class="headerlink" href="#keystone-s3-api" title="Permalink to this heading"></a></h2>
<p>It is possible to use Keystone for authentication even when using the
S3 API (with AWS-like access and secret keys), if the <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">s3</span> <span class="pre">auth</span>
<span class="pre">use</span> <span class="pre">keystone</span></code> option is set. For details, see
<a class="reference internal" href="../s3/authentication/"><span class="doc">认证和访问控制列表</span></a>.</p>
</section>
<section id="service-token-support">
<h2>Service token support<a class="headerlink" href="#service-token-support" title="Permalink to this heading"></a></h2>
<p>Service tokens can be enabled to support RadosGW Keystone integration
to allow expired tokens when coupled with a valid service token in the request.</p>
<p>Enable the support with <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">service</span> <span class="pre">token</span> <span class="pre">enabled</span></code> and use the
<code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">service</span> <span class="pre">token</span> <span class="pre">accepted</span> <span class="pre">roles</span></code> option to specify which roles are considered
service roles.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">rgw</span> <span class="pre">keystone</span> <span class="pre">expired</span> <span class="pre">token</span> <span class="pre">cache</span> <span class="pre">expiration</span></code> option can be used to tune the cache
expiration for an expired token allowed with a service token, please note that this must
be lower than the <code class="docutils literal notranslate"><span class="pre">[token]/allow_expired_window</span></code> option in the Keystone configuration.</p>
<p>Enabling this will cause an expired token given in the X-Auth-Token header to be allowed
if coupled with a X-Service-Token header that contains a valid token with the accepted
roles. This can allow long running processes using a user token in X-Auth-Token to function
beyond the expiration of the token.</p>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../nfs/" class="btn btn-neutral float-left" title="NFS" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../barbican/" class="btn btn-neutral float-right" title="与 OpenStack Barbican 对接" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>